Re: [PEN-TEST] Ethics Scenario

[Edward Mitchell <ed () THE7THBEER COM>]

"Poking around" and "using the site" infer/imply two very different and
distinct things in my mind.  "Using the site" -- literally that.  Using it
as a customer or legitimate user would and finding a problem.  That should
be reported to the site owners ASAP.  Let the owners decide if they want
help securing things and let them decide if they want to enlist your help.

This happened to a friend of mine who is not a computer-type...he was
ordering some candy from candy.com and ended up with a screen full of
credit card orders.  He emailed them at my advice and got lots of free
candy in return. :)

Poking around means just that....you're looking for a weakness and acting
with a purpose other than day-to-day use.  That's a very grey, bordering
on black, area.  If someone did that to my site and then said "Hey, we
only charge $500/hour for an audit and patches", I'd probably be on the
phone to my attorney and local law enforcement, not to mention the BBB and
anyone else who would listen.



On Mon, 2 Oct 2000, Christopher M. Bergeron wrote:

> Here's a scenario that I'd like to get peoples' input on:
>
> A) Our company does pen-tests, security auditing etc...
> B) Our team finds a vulnerability/hole on a website just by poking around / using the site.
>
> The question is this:
> Do we tell the website company who we are and that we have discovered a vulnerability and then offer to provide them 
> assistance with the vulnerability (for pay of course).  i.e. offering them a full pen-test or an IDS or something...?
>
>
> Or does this tend to fall into the "chasing ambulances" type of business marketing strategy?